Exit Interview With Florida’s CISO Danielle Alvarez

Danielle Alvarez has served as Florida’s CISO for more than two years, but on June 1, 2017, she will serve her last day in the Agency for State Technology (AST). Alvarez told 21st Century State & Local that she will become a cybersecurity strategist for Hayes, a minority-owned business in the state, where she will design cybersecurity services. “I view it as a way to serve the state, just from the other side of the fence,” Alvarez said.

Before stepping down, Alvarez spoke with 21st Century State & Local about her work within the state and her hopes for her replacement.

21C: You started with AST in November of 2014. What was your first major project with the agency?

Danielle Alvarez: When I came on there wasn’t an existing comprehensive cybersecurity framework; what we had was older security rules that were patchworked together. While we relied heavily on the NIST Cybersecurity Framework, we did have specific goals for Florida and our state agencies. I took a collaborative approach to developing a specific framework for Florida. We bounced the framework we were developing off of security managers for each of the agencies. Those managers sent it downstream in their offices and were able to get great feedback from state employees. With that feedback, we developed a truly comprehensive framework.

Danielle Alvarez has served as the CISO in Florida since November 2014. (Photo: The State of Florida)

21C: Cybersecurity threats can pop up at a moment’s notice. In the past couple of weeks we’ve seen both the Google Docs phishing scam and the WannaCry ransomware. How does your office react to threats in real time?

DA: We absolutely assess all threats that come in. Our initial take is to determine if we are supporting a platform that is susceptible. For instance, we did receive notice of the WannaCry ransomware late Friday afternoon. We are seeing a trend that these things are hitting us late in the day on Friday, which is unfortunately the end of our business day. To deal with these threats, we do have a team on call 24 hours a day. We spent all Friday night and most of the weekend monitoring the situation.

We also ramped up our collaboration with our sister agencies and our data center customers. We have other state agencies that don’t use our data center and we kept in communication with them to make sure they know what we know. We are still monitoring it and staying abreast with how the attack is morphing. Coming in on the backside of it, I did get a lot of positive response back from our sister agencies regarding our level of communication and how we kept everyone in the loop.

21C: Security threats can be both malicious and accidental. How do you train state employees to help keep data safe?

DA: You find that the accidental occurrences tend to be highest in volume. Malicious incidents tend to get more attention, accidental is constant. What we’re trying to do is focus on situational awareness.

I liken it to my mother, who is a nurse; she is an excellent nurse, but not a great IT person. I am going to speak differently to her than I would to a database manager or a network administrator. We are focused on situation awareness that is germane to a particular individual’s situation. We want to train them to that level and focus on threats that may be directed to them.

I rely on information security managers at the various agencies. They have staff that they know better than I do. They know their lines of business and they know what message will speak to their staff. We rely on them to establish programs that are most beneficial to their workforce.

21C: What initiative that you’ve worked on are you most proud of?

DA: We worked with the state Legislature to get funding for third-party risk assessments for our state agencies. I was initially concerned with how to manage the volume of data for 16 agencies. So, our team created a risk assessment tool that allowed our third-party vendors to summarize their findings in a way that matched up with the NIST Cybersecurity Framework. It allowed us to standardize the results in a way that made the data useful and actionable.

NIST saw our risk assessment tool and reached out to ask if they could host it on their resource page, since it aligned with their framework. We are really proud of that tool that was created by AST staff has become a model for how other states can understand their risk posture.

21C: As you prepare to step down, what are your hopes for the next CISO?

DA: There is a wonderful foundation here in Florida. I hope the person who comes in behind me takes the path of collaboration. We are able to effect more change if you engage the other state agencies. It can take time to build up that level of trust, which I have been able to do over my time in AST.